How Do I Secure My Webhooks in Zoho Subscriptions?

Securing your webhooks can help verify that the webhooks were actually sent from Zoho Subscriptions.

To do this, you’d have to set up your server in such a way that it listens for webhooks from Zoho Subscriptions. When your server receives a webhook from Zoho Subscriptions, a hash value will have to be generated based on the payload and your secret token. Once done, check if it matches the hash value from Zoho Subscriptions and thereby validate the source of the webhook. This can add a layer of security by enabling your server to disregard third-party webhooks pretending to originate from Zoho Subscriptions.

To secure your webhooks:

Go to Settings > Automation > Webhooks.

Click + New Webhook.

Mark the I want to secure this webhook box.

Enter a Secret Token of your choice. It must be alphanumeric and range between 12-50 characters.

Insight: This token will be used to compute a hash value and hence, you will have to ensure that the same token is available on your server to compute a similar hash value.

Click Save to set up the webhook.

Now, the webhook will be sent with a hash value in its header (X-Zoho-Webhook-Signature).

Validating the Webhook from Your Side

When your server receives the webhook, a hash value will have to be generated for the payload, in the same way that Zoho Subscriptions generated it. This is necessary to produce the same hash value to validate the webhook.

The following parameters (if available) need to be used to generate the hash value:

Query string parameters.

Default payload/Customized raw JSON payload.

x-www-form-urlencoded payload (key-value pairs).

Construct a string by sorting the payload’s key-value pairs in alphabetical order. The pairs must be sorted in an alphabetical order with respect to their keys.

Points to remember while constructing the string:

If your webhook contains query string parameters, ensure that those key-value pairs are sorted along with the payload’s key-value pairs.

There cannot be any spaces between the key-value pairs.

Once you’ve sorted the key-value pairs and constructed the string, append the raw JSON to the end of the string.

Warning: If your payload is in the x-www-form-urlencoded format, then the entire string must be decoded before generating the hash value.

For example, this is how you’d construct a string for a webhook with query string parameters and a default payload: